> On Sep 20, 2025, at 12:55 PM, Mike Ounsworth <[email protected]> wrote: > > neither of them is *really* doing anything RATSy, which would involve for > example taking a posture assessment of the device from which the request > originated.
Not sure what precisely is meant by posture assessment, but I don’t think attestation/RATS requires measurements at all. A single evidence message that just identifies the device as made and secured by some OEM is enough. I’m a little out of date on FIDO/WebAuthN. Maybe nothing has changed. FIDO/WebAuthN does both device attestation and user authentication. It was the device attestation part of FIDO that got me started working on EAT. (FIDO needs device attestation because the user is no longer presenting their authentication credential to the server. Instead the user presents their credential (e.g. fingerprint) to the device and the device authenticates to the server. The server wants to know the device is a trusted intermediary. There’s no measurement of the device in FIDO attestation). LL
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
